Password field with auto-complete

Low Web Application Scanning Plugin ID 98081

Synopsis

Password field with auto-complete

Description

In typical form-based web applications, it is common practice for developers to allow `autocomplete` within the HTML form to improve the usability of the page. With `autocomplete` enabled (default), the browser is allowed to cache previously entered form values.
For legitimate purposes, this allows the user to quickly re-enter the same data when completing the form multiple times.
When `autocomplete` is enabled on either/both the username and password fields, this could allow a cyber-criminal with access to the victim's computer the ability to have the victim's credentials automatically entered as the cyber-criminal visits the affected page.
Scanner has discovered that the affected page contains a form containing a password field that has not disabled `autocomplete`.

Solution

The `autocomplete` value can be configured in two different locations.
The first and most secure location is to disable the `autocomplete` attribute on the `<form>` HTML tag. This will disable `autocomplete` for all inputs within that form. An example of disabling `autocomplete` within the form tag is `<form autocomplete=off>`.
The second slightly less desirable option is to disable the `autocomplete` attribute for a specific `<input>` HTML tag. While this may be the less desired solution from a security perspective, it may be preferred method for usability reasons, depending on size of the form. An example of disabling the `autocomplete` attribute within a password input tag is `<input type=password autocomplete=off>`.

Plugin Details

Severity: Low

ID: 98081

Type: remote

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: Low

Reference Information